Security & Bug Bounty Program - Morpher

Security & Bug Bounty Program

Responsible Vulnerability Disclosure Policy

Updated 08/01/2021


The safety of our customers' data, as well as the un-interrupted functionality of our platform is of the highest concerns to Morpher. Despite our regular audits, code reviews, and security checks, we are always happy to hear from the investigative work into security vulnerabilities carried out by well-intentioned, ethical security researchers.

This page aims to define a methodology by which we, the Morpher Team, can work with you, the security researcher, to improve our online security.


We are interested in all security issues you find, and we're happy to provide a bounty for specific critical bugs (depending on the severity).

What We're Looking For

We want to hear about every new (unreported) vulnerability that is considered “critical” and affects Morpher systems. Our systems include, subdomains, and the Morpher Protocol. Examples of this include:

  • Data leaks & data tampering (especially involving user data)
  • Account take-overs or the ability to manipulate user accounts
  • Disruption of services for all/some users
  • Manipulation or disruption of the Morpher Protocol including trading, token operations, and admin functions.

Non-Critical but Good to Know

There are also many "non-critical" vulnerabilities we still want to hear about if you discover them. Often this is when best-practices aren't being followed such as:

  • Weak Ciphers or any other TLS configuration weakness
  • Missing security headers (CSRF, etc.)
  • Bad email configuration (SPF, DMARC, etc.)

Out of Scope

We will generally not consider investigating things that are out of our control such as:

  • Services hosted/run by 3rd parties
  • Any DoS or DDoS like vulnerabilities (overloading our systems with a high load is simply a bad idea)
  • Social Engineering, phishing, or even physical attacks (don’t do that, ever, really!)

The following vulnerabilities are explicitly not included in the bug bounty program and will not be responded to:

  • Fortmatic and other third-party issues, such as rate limiting vulnerabilities, session management misconfiguration, etc.
  • Reason: We are not in the position to address and further fix those vulnerabilities, as they do not occur within our services.

  • Infrastructure information disclosure, such as header leakage.
  • Reason: Infrastructure information leakage occurs through our third party providers, such as AWS and others.

  • iFrame related issues, such as clickjacking from our website.

Any bugs you experience in the app, that are not "critical", should be shared with instead.


We absolutely believe that great security research should be rewarded. Our reward structure is fluid, there's no lower or upper limit. It strictly depends on the severity of the vulnerability. More dangerous bugs command greater gratitude and higher rewards.


If you discover a vulnerability in our systems, please email

Please include as much detail as possible. Depending on the complexity, it would be helpful to understand how to reproduce it, and what systems are involved. A quick guide or screencast is recommended.

If you report a vulnerability that our team is not yet aware of, we’ll evaluate the severity and inform you within 1 week if it's eligible for a bug bounty.

Guidance & Qualifications

Below are our requirements for how proper security research and reporting should be conducted:

  • Avoid accessing unnecessary amounts of data or interrupting our services, if not necessary to prove the existence of a vulnerability.
  • Do not communicate or disclose the vulnerabilities to third parties or the general public before we can address and fix the problematic systems.
  • Delete all data obtained as soon as the vulnerability is fixed, or 1 month after its discovery, whichever comes first.

In general, any action taken by you, the security researcher, should be limited to tests and sharing the information with us.

Virtual Futures:Any financial markets mentioned are only available as Virtual Futures. All mentions of buying, selling, or shorting markets refers to placing long or short stakes on Virtual Futures that represent those markets. Virtual Futures are synthetic instruments, built using Ethereum blockchain protocols, that grant users exposure to the price development of various assets. Virtual Futures' prices can be derived from stocks, currencies, commodities, indices, cryptocurrencies, ETFs, as well as other alternative investment assets. Unlike actual futures, Virtual Futures can track their underlying market in perpetuity and do not expire. Virtual Futures do not provide ownership of the underlying markets that they emulate. They do not represent a share or other claim with respect to an investment undertaking. Virtual Futures are not tradable, transferable, or standardized. Virtual Futures are also not based on a contractual relationship. Virtual futures are not derivatives, CFDs, securities, derivative securities, money-market instruments, or any other financial instrument under MiFID II and the Austrian Securities Supervision Act. Virtual Futures are not options, futures, swaps or forward rate agreements because there is no obligation for future performance at a certain or designated future date.

Portfolio Value: Your investment portfolio on Morpher is not a bank insured deposit. Returns are not guaranteed, your portfolio may lose value. All investments are denominated in Morpher Tokens and subject to related currency risks (see below). You are the custodian of your own funds, Morpher does not safeguard any private cryptographic keys on behalf of users, including wallets that hold Morpher Tokens. Users who choose to interact with the Morpher blockchain protocols retain full control over their private keys.

Currency Risk: Your account with Morpher will be held in Morpher Tokens (an ERC20 cryptocurrency), accordingly you should be aware of cryptocurrency price fluctuations. Morpher Tokens could result in a loss for the user placing a trade on the Virtual Future, even if the prediction of the underlying's development was correct.

No Counterparty: Morpher Labs is not an exchange, market maker, or brokerage firm. Users place trades by interacting directly with a Virtual Future. The blockchain protocol accepts all orders instantly and automatically. There is no counterparty to a Virtual Future or need for matching with other orders. Users can close their positions instantly and automatically, without the need to find a counterparty or intermediary for their trade.

Supported Markets for Trading: Markets mentioned on this page are used as an example of the type of markets Virtual Futures can be based on. Actual markets available on the Morpher trading platform may vary.